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SUBJECT: INF ORM AT ION : Inspection Report on “Internal Controls Over 

Personal Computers at Los Alamos National Laboratory” 

BACKGROUND 


The Office of Inspector General initiated an inspection to determine the adequacy of internal 
controls over the extensive inventory of laptop and desktop computers at Los Alamos National 
Laboratory (LANL). Computers are used in the full range of operations at LANL, to include 
processing classified information. Department of Energy (DOE) and LANL property policies 
identify computers as “sensitive property,” due largely to their susceptibility to theft and 
misappropriation. 

On April 24, 2003, because of the significance of our preliminary findings, we issued an Interim 
Inspection Report, entitled Inspection of Internal Controls Over Personal Computers at Los 
Alamos National Laboratory (DOE/IG-0597). Our inspection has now been completed, and the 
attached report addresses the final results of our review. Our work was completed prior to the 
current security stand-down at Los Alamos. 

RESULTS OF INSPECTION 


Our interim report documented internal control weaknesses regarding LANL computers, 
particularly classified and unclassified laptop computers, including accountability and 
accreditation issues. This follow-on report identifies continuing internal control weaknesses that 
undermine confidence in LANL’s ability to assure that (1) computers are appropriately 
controlled and safeguarded from loss or theft and (2) computers used to process and store 
classified information are controlled in accordance with existing property management and 
security requirements. Specifically, we found that: 

• A number of classified desktop computers were not, as required, entered into the LANL 
property inventory, and some were not assigned a property number; 

• LANL’s Office of Security Inquiries was not notified about a missing component of a 
computer system accredited for classified use, as required; and 

• LANL’s listing of classified desktop and laptop Sensitive Compartmented Information 
Facility computers was not completely accurate, and computer identification in 
accreditation paperwork did not always match the actual classified equipment. 


Printed with soy ink on recycled paper 



In light of the designation of computers as sensitive property, we believe that strict property 
controls need to be consistently applied to classified and unclassified computers at LANL and 
that a strong program of review and oversight needs to be in place to assure that all computing 
resources are properly accounted for and controlled. Our report includes recommendations to 
management designed to enhance LANL’s internal controls over its computer resources. 

This inspection complements similar work performed by the Office of Inspector General at 
several other DOE sites, as well as the Office of Inspector General’s Special Inquiry on 
Operations at Los Alamos National Laboratory (DOE/IG-0584, January 2003), which identified 
inadequate or untimely analysis of, and inquiry into, property loss or theft and security issues; a 
lack of personal accountability for property; and inadequate controls over property systems. 

MANAGEMENT REACTION 


Management concurred with our recommendations. Management’s comments are provided in 
their entirety in Appendix B of the report. 

We found management’s comments to be responsive to our report. 

Attachment 

cc: Deputy Secretary 

Administrator, National Nuclear Security Administration 
Under Secretary for Energy, Science and Environment 
Director, Office of Security and Safety Performance Assurance 
Director, Policy and Internal Controls Management 
Director, Office of Program Liaison and Financial Analysis 
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Overview 


INTRODUCTION 
AND OBJECTIVE 


Computers are used extensively in the full range of operations at 
the Los Alamos National Laboratory (LANL), including processing 
classified information. LANL reported an inventory of 
approximately 5,000 laptop and nearly 40,000 desktop computers at 
the end of Fiscal Year 2002. Department of Energy (DOE) and 
LANL property policies identify computers as “sensitive property,” 
due in part to their susceptibility to theft and potential for conversion 
to cash. Therefore, we believe that management controls over 
computers throughout the DOE complex must remain robust and 
consistent. 

We initiated an inspection to determine the adequacy of internal 
controls over laptop and desktop computers at LANL. Because of 
the significance of our preliminary findings, we issued an Interim 
Inspection Report, titled Inspection of Internal Controls Over 
Personal Computers at Los Alamos National Laboratory (DOE/IG- 
0597, April 2003), which identified significant weaknesses in LANL 
management controls over laptop computers. Our inspection has 
now been completed, and this report addresses the final results of our 
review. The primary focus of the work we conducted subsequent to 
the issuance of our Interim Report was the accountability of desktop 
computers. 

This inspection complements similar work performed by the Office 
of Inspector General at other DOE sites, the results of which maybe 
found in the following reports: Inspection of Internal Controls Over 
Classified Computers and Classified Removable Media at the 
Lawrence Livermore National Laboratory (DOE/IG-0628, 

December 2003); Inspection of Internal Controls Over Laptop and 
Desktop Computers at the Savannah River Site (INS-L-03-09, 

July 29, 2003); and Management of Sensitive Equipment at Selected 
Locations (DOE/IG-0606, June 2003). This inspection also 
complements the Office of Inspector General’s Special Inquiry> on 
Operations at Los Alamos National Laboratory (DOE/IG-0584, 
January 2003), which identified inadequate or untimely analysis of, 
and inquiry into, property loss or theft and security issues; a lack of 
personal accountability for property; and inadequate controls over 
property systems. 
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Internal Controls Over Personal Computers at 
Los Alamos National Laboratory 



OBSERVATIONS 
AND CONCLUSIONS 


In our interim report, we found that internal controls over classified 
and unclassified laptop computers at LANL were inadequate. We 
identified several weaknesses, including poor accountability and 
accreditation of classified laptop computers. Accreditation is the 
authorization by a designated approval authority that a computer 
can be used to process classified information in a specific 
environment, based on the computer meeting pre-specified 
technical requirements for achieving adequate data security. 

This follow-on report identifies continuing control weaknesses that 
undermine confidence in LANL’s ability to assure that 
(1) computers are appropriately controlled and safeguarded from 
loss or theft and (2) computers used to process and store classified 
information are controlled in accordance with existing property 
management and security requirements. Specifically, we found 
that: 

• A number of classified desktop computers were not, as 
required, entered into the LANL property inventory, and some 
were not assigned a property number; 

• LANL’s Office of Security Inquiries was not notified about a 
missing component of a computer system authorized to process 
classified information, as required; and 

• LANL’s listing of classified desktop and laptop Sensitive 
Compartmented Information Facility (SCIF) computers was not 
completely accurate, and computer identification in 
accreditation paperwork did not always match the actual 
classified equipment. 

As previously noted and as discussed in our interim report, DOE 
and LANL identify computers as sensitive property. In this regard, 
we believe that strict property controls need to be consistently 
applied to classified and unclassified computers at LANL and that 
a strong program of review and oversight needs to be in place to 
assure that all computing resources are accounted for and 
controlled. 
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Observations and Conclusions 


Details of Findings 


A number of classified desktop computers were not entered into 
the LANL property inventory, and some were not assigned a 
property number. LANL provided us a listing of its 450 single user 
standalone classified desktop computers, and we compared this 
listing to LANL’s property management system, Sunflower. We 
identified discrepancies with 11 of the classified desktop 
computers. Specifically: 

• Although eight of the classified desktop computers had valid 
property numbers, they were not entered into Sunflower; and 

• Three of the classified desktop computers were not assigned 
property numbers and, therefore, were not entered into 
Sunflower. 

MISSING CENTRAL A missing central processing unit (CPU) 1 that was part of a 

PROCESSING UNIT computer system authorized for classified processing was not 

NOT REPORTED reported to LANL’s Office of Security Inquiries, as required. The 

CPU utilized a removable hard drive, and LANL documentation 
showed that the hard drive had been destroyed. However, LANL 
did not have a record of the final disposition of the CPU. 

This classified CPU was last inventoried on August 13, 2002. The 
CPU was moved on August 26, 2002, along with other property 
that was to be salvaged. However, after it was moved, there was 
no record that it had been taken to salvage, and the CPU was 
determined to be missing. LANL’s “Check List for Missing, Lost, 
Stolen, Damaged or Destroyed Property” requires that missing 
automated information systems authorized for classified processing 
be immediately reported to the LANL Office of Security Inquiries 
by secure means in accordance with the General Security Los 
Alamos Internal Requirement (LIR) 406-00-01.0 Att 14, 

“Reporting Safeguards and Security Incidents.” We were told by a 
LANL official that this missing CPU had not been reported to the 
Office of Security Inquiries as required. 

While there is no evidence that classified information was on the 
missing CPU, it should have been reported to the Office of 
Security Inquiries because the CPU was part of an automated 
information system authorized for classified processing. LANL 

1 As used herein, central processing unit refers to a computer unit, which is the structure that houses the main 
electrical components of a computer; also known as the tower or desk top. 


COMPUTERS NOT 
IN PROPERTY 
INVENTORY 
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Details of Findings 



Details of Findings 


DISCREPANCIES WITH 
CLASSIFIED SCIF 
COMPUTERS 


policy requires that a security inquiry then be conducted. 

However, this inquiry was not performed because the reporting 
process was not followed. 

LANL’s listing of classified desktop and laptop SCIF computers 
was not completely accurate, and computer identification in 
accreditation paperwork did not always match the actual classified 
equipment. LANL’s Office of Cyber Security provided us a listing 
of 65 SCIF computers accredited to process classified information. 
We sampled 14 of the 65 classified SCIF computers to determine if 
the computers on the list could be accounted for, had valid property 
numbers, and had appropriate accreditation paperwork. We 
identified two classified desktop computers with property numbers 
that did not match the accreditation paperwork. In addition, we 
identified a laptop computer that did not belong on the SCIF 
classified computer listing. Although this laptop had been 
accredited for classified use in February 2003, we determined that 
it was not labeled for classified use, was not intended to be used 
for classified processing, and had never been used for that purpose. 
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RECOMMENDATIONS 


MANAGEMENT 

COMMENTS 


INSPECTOR 

COMMENTS 


We recommend that the Manager, Los Alamos Site Office, take 

appropriate action to ensure that: 

1. LANL enters all classified desktop computers into its property 
management system; 

2. LANL properly reports missing classified computers and 
investigates them, including the instance identified in this 
report; 

3. LANL maintains an accurate centralized listing of all 
computers used for classified processing; 

4. LANL verifies that property numbers for classified computers 
match the property numbers on the accreditation paperwork; 
and 

5. The issues raised in this report are considered in the next Site 
Office evaluation of LANL’s property management and 
security performance measures. 

In comments on our draft report, NNSA concurred with our 

recommendations. NNSA’s comments are provided in their 

entirety in Appendix B of this report. 

We found management’s comments to be responsive to our report. 
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Recommendations 
Management and Inspector Comments 


Appendix A 


SCOPE AND 
METHODOLOGY 


The fieldwork for this inspection was conducted from 
December 2002 to March 2004. This review included interviews 
with DOE officials from the National Nuclear Security 
Administration Service Center and officials from LANL and its 
subcontractors. We reviewed applicable policies and procedures 
pertaining to sensitive property and property management. In 
addition, we conducted inventory verification of a judgmental 
sample of laptop and desktop computers. 

This inspection was conducted in accordance with the “Quality 
Standards for Inspections” issued by the President’s Council on 
Integrity and Efficiency. 
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Scope and Methodology 



Appendix B 
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Department of Energy 

National Nuclear Security Administration 

Washington, DC 20585 

AUG 0 4 2004 


MEMORANDUM FOR 


FROM: 




Alfred K. Waiter 

Acting Assistant Inspector General 
for Inspections and Special Inquiries 

t 



Michael C7 Kane_ 

\J Associate Administrator 

for Management and Administration 


SUBJECT. 


Comments to Draft Inspection Report on Personal 
Computers at Los Alamos; S03IS016; 2004-26043 



The National Nuclear Security Administration (NNSA) appreciates the opportunity to 
have reviewed the Inspector General’s (IG) draft Inspection report, “Internal Controls Over 
Personal Computers at Los Alamos National Laboratory.” We understand that this 
inspection was initiated to determine the adequacy of internal controls over both laptop 
and desktop computers at die Laboratory. 

The inspectors concluded that a number of classified desktop computers were not entered 
into the Laboratory's property inventory and some computers were not assigned a property 
number. There was a missing unit that was accredited for classified use which was not 
reported to the Laboratory’s Office of Security Inquiries as missing. Additionally, the 
inspectors concluded that the listing of the Laboratory’s classified desktop and laptop 
“special purpose” computers was not completely accurate and that the accreditation 
paperwork did not always match the actual classified equipment. 

As you arc aware, the Ins Alamos National Laboratory lias suspended all operations until 
each business and programmatic element can be recertified for safe, secure operations. 
Therefore, since we agree with the recommendations, NNSA will provide our corrective 
action plan for each of the recommendations after rite Laboratory has been recertified to a 
safe, secure operational state. 


Should you have any questions about this response, please contact Richard Speidel, 
Director, Policy and Internal Controls Management. He maybe contacted at 202 58b- 
5009. 

cc: Robert Braden, Senior Procurement Executive 

Edwin Wilinot, Manager, Los Alamos Site Office 

William Desmond, Acting Associate Administrator for Defense Nuclear Security 
Karen Boardnian, Director, Service Center 


© 
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Management Comments 



IG Report No. DOE/IG-0656 


CUSTOMER RESPONSE FORM 


The Office of Inspector General has a continuing interest in improving the usefulness of its 
products. We wish to make our reports as responsive as possible to our customers’ requirements, 
and, therefore, ask that you consider sharing your thoughts with us. On the back of this form, 
you may suggest improvements to enhance the effectiveness of future reports. Please include 
answers to the following questions if they are applicable to you: 

1. What additional background information about the selection, scheduling, scope, or 
procedures of the inspection would have been helpful to the reader in understanding this 
report? 

2. What additional information related to findings and recommendations could have been 
included in the report to assist management in implementing corrective actions? 

3. What format, stylistic, or organizational changes might have made this report’s overall 
message clearer to the reader? 

4. What additional actions could the Office of Inspector General have taken on the issues 
discussed in this report which would have been helpful? 

5. Please include your name and telephone number so that we may contact you should we have 
any questions about your comments. 


Name _ Date _ 

Telephone _ Organization 


When you have completed this form, you may telefax it to the Office of Inspector General at 
(202) 586-0948, or you may mail it to: 

Office of Inspector General (IG-1) 

Department of Energy 
Washington, DC 20585 

ATTN: Customer Relations 

If you wish to discuss this report or your comments with a staff member of the Office of 
Inspector General, please contact Wilma Slaughter at (202) 586-1924. 



The Office of Inspector General wants to make the distribution of its reports as customer friendly and cost 
effective as possible. Therefore, this report will be available electronically through the Internet at the 

following address: 

U.S. Department of Energy Office of Inspector General Home Page 

http://www.ig.doe.gov 


Your comments would be appreciated and can be provided on the Customer Response Form 

attached to the report. 



